Does my small to medium sized business require a privacy policy?

Susan operates a curtain business with fewer than 19 employees. The business is a small/medium sized enterprise (SME). Susan has been the director and sole shareholder of the business for 25 years. Over this time, the databases of the business have accumulated hundreds of customer emails which are stored in an Excel spreadsheet and are used to address the quarterly newsletter. 

Should Susan’s business have a privacy policy in regard to this storage of personal information? Yes, but why?

The Privacy Act 1993 controls how agencies, which include SMEs and social clubs, collect, use, disclose, store, and give access to personal information. The new Privacy Act 2020 is set to replace its predecessor 1993 Act on 1 November 2020.

According to Privacy Commissioner John Edwards, the most notable change to the new Act will be the introduction of a requirement to report serious privacy breaches. If there is a breach that has caused serious harm or poses a risk of causing someone serious harm, it must be reported to the Privacy Commissioner’s office and to any affected individuals.

A privacy breach requires an action inconsistent with one of the twelve privacy principles. Mainly, these principles regulate how an agency collects personal information, its storage and security, and its retention. Currently, reporting privacy breaches is not required.

This change to the Act is in-line with the approaches taken by both Australia and Canada. An objective statutory test for determining and reporting harm will likely provide the New Zealand privacy law landscape with more certainty and consistency in resolving breaches of the Act, particularly in light of the country’s rapid technological evolution. Notably, SMEs becoming more technologically inclined.

As the commencement date of the new Act will soon be upon us, this may be a good opportunity for agencies to review and update their existing policies and procedures to prevent, mitigate, and report breaches, while ensuring compliance with the law.  

The commercial team at Schnauer & Co Lawyers are here to support you throughout this process. 

Some quick tips for Susan

1)    Ensure that the privacy policy clearly sets out what the personal information is collected and used for. The privacy policy should state that it retains customer emails in order to address the quarterly newsletter. It is a contravention of the Act to use the information for any other purpose, with some exceptions.

2)    Another possible addition to the privacy policy can include the business’ step-by-step approach to prevent and resolve a breach. This will reassure customers that their personal information is being taken seriously and that there are appropriate safeguard in place to protect it. Here, a private Excel spreadsheet may be considered a reasonable safeguard to protect the emails. However, if the business were to also retain payment details and addresses, the risk of identity theft in the situation of a breach increases and further safeguards may be appropriate.

3)    The Act also requires Susan’s business to have at least one privacy officer. This can be an existing employee. Their information should be provided along with the privacy policy in order to deal with complaints and queries. Having a privacy officer also encourages internal compliance with the privacy principles and holds the business accountable to itself.

Please be aware that these are general guidance points and do not constitute legal advice.

If you have any questions in regard to updating your company’s privacy policy, or creating a new one, please do not hesitate to contact us.